Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.

Slideshare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.

2.
T hird Annual B enc hmark S tudy on P atient P rivac y & Data S ec urity
Presented by Ponemon Institute, December 2012
Part 1. Introduction
Healthcare organizations seem to face an uphill battle in their efforts to stop and reduce the loss
or theft of protected health information (PHI) or patient information. As is revealed in the Third
Annual Benchmark Study on Patient Privacy and Data Security, many healthcare organizations
struggle with a lack of technologies, resources and trained personnel to deal with privacy and
data security risks.
The consequence of not having adequate funding, solutions and expertise in place is clear. Since
first conducting this study in 2010 the percentage of healthcare organizations reporting a data
breach has increased and not declined. Further, there are more reports of multiple breaches and
only 40 percent of organizations in this study have confidence that they are able to prevent or
quickly detect all patient data loss or theft.
Since 2010 the threats to healthcare organizations have become increasingly more difficult to
control. Technologies that promise greater productivity and convenience such as mobile devices,
file-sharing applications and cloud-based services are difficult to secure. Employee mistakes and
negligence also continue to be a significant cause of data breach incidents. Another worry
presented in this research is that sophisticated and stealthy attacks by criminals have been
steadily increasing since 2010.
The price tag for dealing with these breaches can be staggering. While the cost can range from
$10,000 to more than $1 million, we calculate that the average cost for the organizations
represented in this benchmark study is $2.4 million over a two-year period. This is up slightly from
$2.2 million in 2011 and $2.1 million in 2010.
The types of healthcare organizations participating in the study are hospitals or clinics that are
part of a healthcare network (46 percent), integrated delivery systems (36 percent) and
standalone hospital or clinic (18 percent). This year 80 healthcare organizations participated in
1
this benchmark research and 324 interviews were conducted . Respondents interviewed work in
all areas of the organization: security, administrative, privacy, compliance, finance and clinical.
Key Research Findings:
More healthcare organizations are having several breaches. Ninety-four percent of
healthcare organizations in this study have had at least one data breach in the past two years.
However, 45 percent report that they have had more than five incidents. In 2010, only 29 percent
reported that their organization had more than 5. This suggests the importance of determining the
cause of the breach and what steps need to be taken to address areas potentially vulnerable to
future incidents.
Data breaches can have severe economic consequences. The economic impact of one or
more data breaches for healthcare organizations in this study ranges from less than $10,000 to
more than $1 million over a two-year period. Based on the ranges reported by respondents, we
calculated that the average economic impact of data breaches over the past two years for the
healthcare organizations represented in this study is $2.4 million. This is an increase of almost
$400,000 since the study was first conducted in 2010. As this finding demonstrates, the average
2
annual cost to the healthcare industry could potentially be as high as almost $7 billion. Data
1
Benchmark research differs from survey research. The unit of analysis in benchmark research is the organization and in
survey research it is the individual.
2
This is based on multiplying $1,195,135 x 5,754 (average economic impact for a healthcare organization over a one-year
period x the total number of registered US hospitals per the AHA).
Ponemon Institute: Private & Confidential Report
1

3.
breaches costing more than $500,000 have increased from 48 percent of healthcare
organizations in 2010 to 57 percent of respondents in this year’s study.
Insider negligence continues to be at the root of the data breach. The primary cause of
breaches in this study is a lost or stolen computing device (46 percent), which can be attributed in
many cases to employee carelessness. This is followed by employee mistakes or unintentional
actions (42 percent), and third-party snafus (42 percent). A major challenge for IT security is the
increase in criminal attacks, which has seen an increase from 20 percent in 2010 to 33 percent
this year.
Respondents acknowledge the harms to patients if their records are lost or stolen. The
types of patient data lost or stolen most often are medical files and billing and insurance records,
as discussed above. Seventy percent of respondents say there is an increased risk that personal
health facts will be disclosed if the records are stolen or lost. This is followed by the risk of
financial identity theft and medical identity theft (61 percent and 59 percent, respectively).
Medical identity theft occurs and can affect patient treatment. Fifty-two percent of
organizations report that their healthcare organizations had one or more incidents of medical
identity theft. While only 18 percent say the theft was a result of a data breach, 32 percent are
unsure. This uncertainty is due in part to the finding that only one-third say they have sufficient
controls in place to detect medical identity theft.
Employee records are also at risk. Respondents are more confident that patient billing
information and medical records will not be susceptible to data loss or theft. In 2011, 39 percent
of respondents said patient-billing information was vulnerable. This year the frequency of
response declined to 29 percent. Similarly, the susceptibility of patient medical records declined
from 25 percent of respondents in 2011 to 15 percent of respondents who believe this information
is most at risk. In contrast, a much higher percentage of respondents in this year’s study believe
employee records have become the most susceptible to data loss or theft than last year (an
increase from 9 percent to 21 percent).
Trends in mobility and employee owned devices put patient data at risk. Eighty-one percent
of organizations permit employees and medical staff to use their own mobile devices such as
smartphones or tablets to connect to their networks or enterprise systems such as email. On
average, 51 percent of employees are bringing their own devices to the healthcare facility.
Unsecured medical devices are vulnerable to hackers. Medical devices containing sensitive
patient information such as wireless heart pumps, mammogram imaging and insulin pumps often
use commercial PCs and have wireless connections that make them vulnerable to cyber attacks.
According to the healthcare organizations in this study, 69 percent of organizations do not secure
medical devices. This finding may reflect the possibility that they believe it is the responsibility of
the vendor—not the healthcare provider--to protect these devices.
Healthcare organizations embrace the cloud. Sixty-two percent of organizations make
moderate or heavy use of cloud services. Only 9 percent do not use cloud services. However, 47
percent are not confident that information in the cloud is secure and 23 percent are only
somewhat confident.
Concerns about the security of Health Information Exchanges (HIE) are keeping
organizations from joining. Only 28 percent of organizations say their organization is a member
and another 17 percent say they will become a member. More than one-third (35 percent) say
they do not plan to become a member of HIE. The primary reason could be that 66 percent of
respondents say they are only somewhat confident (30 percent) or not confident (36 percent) in
the security and privacy of patient data on HIEs.
Ponemon Institute: Private & Confidential Report
2

4.
Confidence in the ability to prevent and detect a data breach improves but still has far to
go. In 2010, only 31 percent of organizations said they had confidence in preventing and
detecting all patient data loss or theft in their organization. This percentage has been steadily
climbing and it is now at 40 percent. What has improved is that organizations are relying less on
an “ad hoc” process and more on policies and procedures and a combination of manual
procedures and security technologies.
Compliance encourages improvements in privacy and data security. Thirty-six percent of
respondents strongly agree and agree that recent Office of Civil Rights (OCR) HHS
HIPPA/HITECH audits and fines have affected changes in their organization’s patient data
privacy and security programs. Sixty-eight percent of organizations conduct and document post
data breach incident risk assessments as mandated by the HITECH Act, an increase from 61
percent last year.
Employee training is the most common activity but does not seem to be effective in
reducing insider negligence. The primary activity conducted by healthcare organizations is to
comply with annual or periodic HIPAA privacy and security awareness training of all staff. This is
followed by 49 percent who vet and monitor third parties, including business associates. Annual
security risk assessments are done by less than half (48 percent) of organizations. The activity
performed the least is a periodic privacy risk assessment. While performed the least, privacy risk
assessments that evaluate privacy controls and policy may be best able to reduce the frequency
of data breaches unintentionally caused by employees.
Barriers to achieving a stronger defense against data breaches continue to be a shortage
of technologies, funding and expertise. Fifty-two percent of respondents agree that they have
sufficient policies and procedures to prevent or quickly detect unauthorized patient data access,
loss or theft. This increased from 41 percent in 2010 and can be attributed to the need for
compliance with regulations. However, only 27 percent say they have sufficient resources and 34
percent say they have a sufficient security budget. Technologies and personnel are adequate
according to 40 percent and 45 percent of respondents.
The following are some of the top findings of the study. They are discussed in more detail with
other results in Part 2 of this report.
•
Ninety-four percent of organizations in our study have had at least one data breach in the
past two years. The average number for each participating organization is 4 data breach
incidents in the past two years.
•
The average economic impact of a data breach over the past two years for the healthcare
organizations represented in this study is $2.4 million. This is an increase of almost $400,000
since the study was first conducted in 2010.
•
The average number of lost or stolen records per breach is 2,769. The types of patient data
lost or stolen most often are medical files and billing and insurance records.
•
The top three causes for a data breach are: lost or stolen computing devices, employee
mistakes and third-party snafus.
•
Fifty-two percent discovered the data breach as a result of an audit or assessment followed
by employees detecting the breach (47 percent).
•
More than half (54 percent) of organizations have little or no confidence that their
organization has the ability to detect all patient data loss or theft.
Ponemon Institute: Private & Confidential Report
3

5.
•
Eighty-one percent permit employees and medical staff to use their own mobile devices such
as smartphones or tablets to connect to their organization’s networks or enterprise systems.
However, 54 percent of respondents say they are not confident that these personally owned
mobile devices are secure.
•
Ninety-one percent of hospitals surveyed are using cloud-based services, yet 47percent lack
confidence in the ability to keep data secure in the cloud.
•
Despite recent attacks on medical devices, 69 percent of respondents say their organization’s
IT security and/or data protection activities do not include the security of FDA-approved
medical devices.
Ponemon Institute: Private & Confidential Report
4

6.
Part 2. Key findings
In this report, we have organized the most salient research results according to the following four
topics:




Healthcare organizations have multiple breaches.
Data breaches put patients and their information at risk for disclosure and financial and
medical identity theft.
Technology trends threaten healthcare’s ability to protect patient information.
Healthcare organizations take steps to prevent breaches but many still lack resources.
The complete audited findings of this study are presented in the appendix of this report.
1. Healthcare organizations have multiple breaches.
More healthcare organizations are having several breaches. According to Figure 1, 94
percent of healthcare organizations in this study have had at least one data breach in the past
two years. However, 45 percent report that they have had more than five incidents. In 2010, only
29 percent reported that their organization had more than 5. This suggests the importance of
determining the cause of the breach and what steps need to be taken to address areas potentially
vulnerable to future incidents.
Figure 1. Experienced a data breach involving the loss of patient data in the past two years
50%
45% 46%
45%
40%
33% 33%
35%
30%
31%
29%
26%
25%
20%
14%
15%
10%
5%
6%
16% 17%
4%
0%
No
Yes, 1 incident
FY 2012
Ponemon Institute: Private & Confidential Report
Yes, 2 to 5 incidents
FY 2011
Yes, more than 5
incidents
FY 2010
5

7.
It is not surprising that data breaches are most likely to involve healthcare records with the kind of
sensitive and valuable information that appeals to identity thieves. According to the findings
presented in Figure 2, medical files and billing and insurance records are the most likely to be lost
or stolen. This is consistent with the findings from 2011. It is interesting to note that payment
details as a type of data that is lost or stolen increased significantly from 17 percent to 24 percent.
Figure 2. Type of data that was lost or stolen
More than one choice permitted
60%
50%
48% 47%
48% 49%
40%
30%
25%
24%
20%
17%
20% 19%
20%
19%
15%
10%
2% 3%
0%
Medical file
Billing &
insurance
record
Payment
details
Prescription
details
FY 2012
Ponemon Institute: Private & Confidential Report
Scheduling
details
Monthly
statements
Other
FY 2011
6

8.
Data breaches can have severe economic consequences. Figure 3 reveals that the economic
impact of one or more data breaches for healthcare organizations in this study ranges from less
than $10,000 to more than $1 million over a two-year period.
Based on the ranges reported by respondents, the average economic impact of data breaches
over the past two years for the healthcare organizations represented in this study is $2.4 million.
This is an increase of almost $400,000 since the study was first conducted in 2010. As this
finding demonstrates, the average cost to the healthcare industry could potentially be as high as
$7 billion annually. The figure also shows that data breaches costing more than $500,000 have
increased from 48 percent of healthcare organizations in 2010 to 57 percent of respondents in
this year’s study.
Figure 3. Economic impact of data breach incidents experienced over the past two years
5%
5%
Cannot determine
7%
31%
30%
29%
More than $1 million
26%
$500,001 to $1 million
21%
19%
23%
$200,001 to $500,000
26%
25%
8%
8%
$100,001 to $200,000
11%
3%
3%
4%
$50,001 to $100,000
1%
2%
1%
$10,001 to $50,000
3%
Less than $10,000
5%
4%
0%
5%
10%
FY 2012
Ponemon Institute: Private & Confidential Report
15%
FY 2011
20%
25%
30%
35%
FY 2010
7

9.
According to the organizations in this study, the average number of lost or stolen records per
breach was 2,769 (Figure 4). Other research conducted by Ponemon Institute has found the
average cost per one lost or stolen record is $194. Based on the average number of lost or stolen
3
records in this study, only one data breach could have an economic impact of about $537,186.
Figure 4. Number of compromised records
70%
61%
60%
50%
40%
42%
38%
28%
25%
30%
20%
20%
21%19%
12%
11%12%
10%
5%
3% 2% 2%
0% 0% 1%
0%
10 – 100
101 - 1,000
1,001 - 5,000
2012
3
5,001 - 10,000
2011
10,001 –
100,000
Over 100,000
2010
See 2011 Cost of a Data Breach, conducted by Ponemon Institute and sponsored by Symantec, March 2012
Ponemon Institute: Private & Confidential Report
8

10.
Insider negligence continues to be at the root of the data breach. According to Figure 5, the
primary cause of breaches in this study is a lost or stolen computing device (46 percent), which
can be attributed in many cases to employee carelessness. This is followed by employee
mistakes or unintentional actions (42 percent), and third-party snafus (42 percent). A major
challenge for IT security is the increase in criminal attacks, which has increased from 20 percent
in 2010 to 33 percent this year.
Figure 5. Nature of the incident
More than one choice permitted
46%
49%
41%
Lost or stolen computing device
42%
41%
45%
Unintentional employee action
42%
46%
Third-party snafu
34%
33%
30%
Criminal attack
20%
31%
33%
31%
Technical systems glitch
14%
14%
15%
Malicious insider
8%
9%
10%
Intentional non-malicious employee action
0%
FY 2012
Ponemon Institute: Private & Confidential Report
10%
FY 2011
20%
30%
40%
50%
60%
FY 2010
9

13.
2. Data breaches put patients and their information at risk for disclosure and financial and
medical identity theft.
Respondents acknowledge the harms to patients if their records are lost or stolen. The
types of patient data lost or stolen most often are medical files and billing and insurance records,
as discussed above. Seventy percent of respondents say there is an increased risk that personal
health facts will be disclosed if the records are stolen or lost. This is followed by the risk of
financial identity theft and medical identity theft (61 percent and 59 percent, respectively), as
shown in Figure 8.
Figure 8. Harms patients suffer if their records are lost or stolen
More than one choice permitted
80%
70%
73%
70%
61%
60%
61%
59%
56%
59%
51%
50%
45%
40%
30%
20%
9%
10%
10%
8%
0%
Increased risk that
personal health facts will
be disclosed
Increased risk of
Increased risk of medical
financial identity theft
identity theft
FY 2012
FY 2011
None
FY 2010
While there is agreement that patients are at greater risk of financial identity theft if their records
are lost or stolen, 65 percent of respondents say their organizations do not offer credit monitoring
or other protection services.
Ponemon Institute: Private & Confidential Report
12

14.
Medical identity theft occurs and can affect patient treatment. As shown in Figure 9, 52
percent of organizations report that their healthcare organizations had one or more incidents of
medical identity theft. While only 18 percent say the theft was a result of a data breach, 32
percent are unsure. This uncertainty is due in part to the finding that only one-third say they have
sufficient controls in place to detect medical identity theft.
Figure 9. Number of identity theft incidents experienced over the past 12 months
60%
50%
48%
40%
30%
22%
20%
12%
11%
7%
10%
0%
None
Only 1
2 to 5
6 to 10
More than 10
The affect of medical identity theft could prove to be fatal as revealed in Figure 10. Thirty-nine
percent (3 percent + 36 percent) of those healthcare organizations that experienced medical
identity theft in their organizations say it resulted in inaccuracies in the patient’s medical record
and 26 percent (3 percent + 23 percent) say it affected the patient’s medical treatment.
Figure 10. Consequences of medical identity theft on patient records
60%
48%
50%
40%
36%
30%
36%
25%
23%
26%
20%
10%
3%
3%
0%
Yes, absolutely certain
Yes, most likely
No
Unsure
Have any medical identity theft incidents occurred that resulted in inaccuracies in patients’ records?
Has this affected the patient’s medical treatment as a result of inaccuracies?
Ponemon Institute: Private & Confidential Report
13

16.
3. Technology trends threaten healthcare’s ability to protect patient information.
Trends in mobility and employee owned devices put patient data at risk. Eighty-one percent
of organizations permit employees and medical staff to use their own mobile devices such as
smartphones or tablets to connect to their networks or enterprise systems such as email. Figure
12 shows the percentage of employees allowed to use their personal devices in the workplace.
On average, 51 percent of employees are bringing their own devices to the healthcare facility.
Figure 12. Personally owned mobile device use in the workplace
40%
35%
35%
30%
28%
25%
21%
20%
15%
11%
10%
5%
5%
0%
Less than 10%
10 to 25%
26 to 50%
51 to 75%
More than 75%
However, respondents say their organizations are allowing BYOD despite a lack of confidence
that they can make sure these devices are secure. According to the findings, 54 percent are not
confident and only 9 percent are very confident they are secure.
Ponemon Institute: Private & Confidential Report
15

17.
Steps taken to protect their networks and systems are shown in Figure 13. They are: limiting
access from devices to critical systems, including those that connect to PHI, requiring users to
read and sign an acceptable use policy prior to connection and scanning devices for viruses and
malware while they are connected. However, 46 percent of respondents admit that they do not
take these or other precautions listed in the figure.
Figure 13. Measures to ensure devices are secure enough to connect to the network
More than one response permitted
Limit access from devices to critical systems
51%
Require user to read and sign an acceptable use
policy
45%
Scan devices for viruses and malware while they
are connected
40%
Limit or restrict the download of PHI
38%
Require anti-virus/anti-malware software to reside
on the mobile device
23%
Scan devices for viruses and malware prior to
connection
21%
Scan devices and remove apps that present a
security threat
16%
None of the above steps are done
46%
Other
2%
0%
10%
20%
30%
40%
50%
60%
Unsecured medical devices are vulnerable to hackers. Medical devices containing sensitive
patient information such as wireless heart pumps, mammogram imaging and insulin pumps often
use commercial PCs and have wireless connections that make them vulnerable to cyber attacks.
According to the healthcare organizations in this study, 69 percent of organizations do not secure
medical devices. This finding may reflect the possibility that they believe it is the responsibility of
the vendor—not the healthcare provider--to protect these devices.
Ponemon Institute: Private & Confidential Report
16

18.
Healthcare organizations embrace the cloud. According to Figure 14, 62 percent say their
organizations make moderate or heavy use of cloud services. Only 9 percent say they do not use
cloud services. However, 47 percent of respondents say are not confident that information in the
cloud is secure and 23 percent are only somewhat confident.
Figure 14. Use of cloud services
35%
32%
29%
30%
30%
Light use of cloud
services
Moderate use of cloud
services
25%
20%
15%
10%
9%
5%
0%
No use of cloud
services
Heavy use of cloud
services
Figures 15 and 16 reveal the applications and types of information processed and stored in the
cloud. Based on what patient information is in the cloud it is important that organizations ensure
cloud computing services meet their security standards.
As shown in Figure 15, the applications or services most used are storage, file-sharing
applications, business applications, peer-to-peer communications.
Figure 15. Cloud applications or services in use
More than one response permitted
Storage
41%
File sharing applications
39%
Business applications
35%
Peer-to-peer communications
35%
Infrastructure applications
33%
Services such as identity management,
payments, search and others
28%
Social media applications
26%
Solution stacks such as Java, PHP, Python,
ColdFusion and others
19%
Other
2%
0%
Ponemon Institute: Private & Confidential Report
5%
10% 15% 20% 25% 30% 35% 40% 45%
17

19.
The types of information most often processed or stored in the cloud are email applications,
productivity applications, accounting information and employee information such as payroll data
(Figure 16). Also processed or stored in the cloud, but not as often, are patient medical records
and billing information.
Figure 16. Types of information processed and/or stored in the cloud
More than one response permitted
Email applications
49%
Productivity applications
46%
Accounting and financial information
46%
Employee information including payroll data
41%
Patient billing information
30%
Administrative and scheduling information
28%
Patient medical records
26%
Clinical trial and other research information
5%
None of the above
37%
Other
2%
0%
10%
20%
30%
40%
50%
60%
Concerns about the security of Health Information Exchanges (HIE) are keeping
organizations from joining. Only 28 percent of organizations say their organization is a member
and another 17 percent say they will become a member. More than one-third (35 percent) say
they do not plan to become a member of HIE. The primary reason could be that 66 percent of
respondents say they are only somewhat confident (30 percent) or not confident (36 percent) in
the security and privacy of patient data share on HIEs.
Ponemon Institute: Private & Confidential Report
18

20.
4. Healthcare organizations take steps to prevent breaches but many still lack resources.
Confidence in the ability to prevent and detect a data breach improves but still has far to
go. In 2010, only 31 percent of organizations said they had confidence in preventing and
detecting patient data loss or theft in their organization. This percentage has been steadily
climbing and it is now at 40 percent, as shown in Figure 17. What has improved is that
organizations are relying less on an “ad hoc” process and more on policies and procedures and a
combination of manual procedures and security technologies.
Figure 17. Ability to prevent or detect patient data loss
Very confident and confident response combined
45%
40%
40%
34%
35%
31%
30%
25%
20%
15%
10%
5%
0%
FY 2012
FY 2011
FY 2010
Compliance encourages improvements in privacy and data security. Thirty-six percent of
respondents strongly agree and agree that recent Office of Civil Rights (OCR) HHS
HIPPA/HITECH audits and fines have affected changes in their organization’s patient data
privacy and security programs.
According to Figure 18, 68 percent of organizations conduct and document post data breach
incident risk assessments as mandated by the HITECH Act, an increase from 61 percent last
year.
Figure 18. Post data breach risk assessments are conducted and documented
80%
70%
68%
61%
60%
50%
40%
30%
21%
18%
20%
14%
18%
10%
0%
Yes
No
FY 2012
Ponemon Institute: Private & Confidential Report
Unsure
FY 2011
19

21.
As mentioned previously, most data breaches are discovered through the process of conducting
an audit or assessment (Figure 19). Further, more organizations are using a paper-based
process or software-based process or tool that was developed internally (34 percent and 17
percent, respectively).
Figure 19. Risk assessment methods
34%
A paper-based process or tool that was developed
internally
31%
28%
An ad-hoc process
33%
21%
A software-based process or tool that was
developed by a third party
21%
17%
A software-based process or tool that was
developed internally
15%
0%
FY 2012
Ponemon Institute: Private & Confidential Report
5%
10% 15% 20% 25% 30% 35% 40%
FY 2011
20

22.
Employee training is the most common activity but does not seem to be effective in
reducing insider negligence. Figure 20 reveals that the primary activity conducted by
healthcare organizations is to comply with annual or periodic HIPAA privacy and security
awareness training of all staff, as reported by 56 percent of the organizations. How effective is the
training when employee negligence and mistakes rank second in the root causes of a data
breach. This is followed by 49 percent who vet and monitor third parties, including business
associates.
Annual or security risk assessments are done by less than half (48 percent) of organizations. The
activity performed the least is a periodic privacy risk assessment. While performed the least,
privacy risk assessments that evaluate privacy controls and policy may be best able to reduce the
frequency of data breaches unintentionally caused by employees.
Figure 20. Data protection practices
More than one response permitted
Annual or periodic HIPAA privacy and security
awareness training of all staff
56%
Vetting and monitoring of third parties, including
business associates
49%
Updating of agreements with business associates
48%
Annual or periodic security risk assessments
48%
Updated policies and procedures in response to
regulatory changes
47%
Incident response plan development and or test
26%
Annual or periodic privacy risk assessments
16%
0%
Ponemon Institute: Private & Confidential Report
10%
20%
30%
40%
50%
60%
21

24.
Part 3. Implications and recommendations
Healthcare organizations need to strengthen their privacy and security posture if they are to
reduce the number of data breaches occurring in their organizations. The findings suggest a low
level of confidence in the ability to safeguard healthcare organizations from the mobility and
BYOD risks as well as in being able to detect data breaches and medical identity theft. The
following is a list of recommendations:

Make the business case for investing in people, process and technologies based on the
economic impact to healthcare organizations participating in this benchmark research.
Consider elevating the chief privacy and security role from the hierarchical organization to
one that reports directly to the board of directors.

Conduct a privacy and security risk assessment annually to understand what practices may
be putting your organization at risk. Storing large amounts of confidential data or failing to
institute appropriate safeguards limiting access to PHI can expose healthcare organizations
to unnecessary risks.

Create a comprehensive mobile device policy (including detailed guidelines) for all
employees and contractors. The policy should address the risks and the security procedures
that should be followed. Reinforce your mobile device policy with employee education on the
importance of safeguarding their mobile devices and how to avoid risky behaviors.

Before deploying cloud applications and services, ensure the appropriate security
requirements are in place. Depending upon how you are using the cloud, your cloud provider
may be considered a business associate under HIPAA. Be sure to evaluate your relationship
with your cloud provider and sign a business associate agreement if appropriate.

Ensure electronic health records (EHR) and HIE plans include rigorous privacy and security
analysis and that key privacy and security personnel are actively involved in the
implementation teams.
A stronger security posture will lead to greater confidence that patients’ confidential and sensitive
information is protected and costly financial and medical identity theft incidents will be prevented.
Most important, limiting the financial consequences of a data breach can mean that more
resources will be spent on the delivery of quality healthcare services.
Ponemon Institute: Private & Confidential Report
23

27.
Part 4. Limitations
The presented findings are based on self-reported benchmark survey returns. Usable returns
from 80 organizations – or about 16 percent of those organizations initially contacted – were
collected and used in the above-mentioned analysis. It is always possible those organizations
that chose not to participate are substantially different in terms of data protection and compliance
activities.
Because our sampling frame is a proprietary list of organizations known to the researcher, the
quality of our results is influenced by the accuracy of contact information and the degree to which
the list is representative of the population of all covered entities and business associates in the
United States. While it is our belief that our sample is representative, we do acknowledge that
results may be biased in two important respects:
•
•
Survey results are skewed to larger-sized healthcare organizations, excluding the plethora
of very small provider organizations including local clinics and medical practitioners.
Our contact methods targeted individuals who are presently in the data protection, security,
privacy or compliance fields. Hence, it is possible that contacting other individuals in these
same organizations would have resulted in different findings.
To keep the survey concise and focused, we omitted other normatively important variables from
the analyses. Omitted variables might explain survey findings, especially differences between
covered entities and business associates as well as organizational size.
The quality of survey research is based on the integrity of confidential responses received from
respondents. While certain checks and balances have been incorporated into our survey
methods, there is always the possibility that certain respondents did not provide accurate or
complete responses to our benchmark instrument.
We fully acknowledge that our sample size is small and, hence, the ability to generalize findings
about organizational size, organizational type, and program maturity is limited. Great care should
be exercised before attempting to generalize these findings to the population of all health care
providers.
Finally, we compare the 2012 results to benchmark studies completed in 2011 and 2010. While
these three samples were approximately matched based on organizational size, type and
regional location, we can only infer trends from between-sample differences.
Ponemon Institute: Private & Confidential Report
26

32.
Q12. In your opinion (best guess), what best describes the lifetime
economic value, on average, of one patient or customer to your
organization?
Less than $10,000
$10,001 to $50,000
$50,001 to $100,000
$100,001 to $200,000
$200,001 to $500,000
$500,001 to $1 million
More than $1 million
Cannot determine
Total
Average lifetime value of one lost patient (customer)
FY 2012
9%
32%
24%
12%
7%
3%
2%
11%
100%
$111,810
FY 2011
10%
31%
23%
10%
4%
3%
3%
16%
100%
$113,400
FY 2010
12%
29%
21%
13%
5%
3%
2%
15%
100%
$107,580
Q13. In your opinion (best guess), what best describes the economic
impact of data breach incidents experience by your organization over
the past two years?
Less than $10,000
$10,001 to $50,000
$50,001 to $100,000
$100,001 to $200,000
$200,001 to $500,000
$500,001 to $1 million
More than $1 million
Cannot determine
Total
FY 2012
3%
1%
3%
8%
23%
26%
31%
5%
100%
FY 2011
5%
2%
3%
8%
26%
21%
30%
5%
100%
FY 2010
4%
1%
4%
11%
25%
19%
29%
7%
100%
Average economic impact of data breach over the past two years
$2,390,27
0
$2,243,70
0
$2,060,17
4
Q14. Does your EHR (electronic healthcare records) system allow
your organization to comply with the HHS mandated requirements to
protect patient privacy?
Yes
Partially
No
We don't use EHRs
Total
FY 2012
22%
29%
19%
30%
100%
Q15. Is your organization a member of a Health Information Exchange
(HIE), defined as the mobilization of healthcare information
electronically across organizations within a region, community or
hospital system?
Yes
We will become a member
We are considering membership
No, we do not plan to become a member of HIE
Total
FY 2012
28%
17%
20%
35%
100%
Q16. What is your level of confidence as to the security and privacy of
patient data shared on Health Information Exchanges?
Very confident
Confident
Somewhat confident
Not confident
Total
FY 2012
17%
17%
30%
36%
100%
Ponemon Institute: Private & Confidential Report
31

33.
Q17a. Does your organization permit employees and medical staff to
use their own mobile devices such as smartphones or tablets to
connect to your organization's networks or enterprise systems (such as
email)?
Yes
No
Total
FY 2012
81%
19%
100%
Q17b. If yes, approximately what percentage of your organization's
employees (including part-time and contract employees) use their
personallly owned mobile device such as a smartphone or tablet?
Less than 10%
10 to 25%
26 to 50%
51 to 75%
More than 75%
Total
Extrapolated value
FY 2012
5%
11%
35%
21%
28%
100%
51%
Q17c. If yes, how does your organization ensure these personally
owned mobile devices are secure enough to connect to your
organization’s network or enterprise systems? Please select all that
apply.
Scan devices for viruses and malware prior to connection
Scan devices and remove all mobile apps that present a security threat
prior to connection
Scan devices for viruses and malware while they are connected
Require anti-virus/anti-malware software to reside on the mobile
device prior to connection
Require user to read and sign an acceptable use policy prior to
connection
Limit access from devices to critical systems including those that
connect to PHI
Limit or restrict the download of PHI onto these devices
None of the above steps are done
Other (please specify)
Total
FY 2012
21%
16%
40%
23%
45%
51%
38%
46%
2%
282%
Q17d. If yes, what is your level of confidence as to the security of the
personally-owned mobile devices used in your organization?
Very confident
Confident
Somewhat confident
Not confident
Total
FY 2012
9%
16%
21%
54%
100%
18a. Does your organization use social media to engage with patients?
Yes
No
Total
FY 2012
42%
58%
100%
Ponemon Institute: Private & Confidential Report
32

34.
18b. If yes, what is your level of confidence that the patient data
shared on your organization's social media forums is secure?
Very confident
Confident
Somewhat confident
Not confident
Total
FY 2012
10%
17%
23%
50%
100%
Q19. Does the scope of your organization’s IT security and/or data
protection activities include the security of FDA-approved medical
devices such as those attached or not attached to the patient (such as
insulin pumps or medical imaging equipment)?
Yes
No
Total
FY 2012
31%
69%
100%
Cloud services refer to distributed computing
solutions that can be owned by third-parties on data
center locations outside the end-user company’s IT
infrastructure. Consumers of cloud computing
services purchase capacity on-demand and are not
concerned with the underlying technologies used to
increase computing capacity.
Q20. What best describes your organization's use of cloud services?
No use of cloud services (skip to Q25)
Light use of cloud services
Moderate use of cloud services
Heavy use of cloud services
Total
FY 2012
9%
29%
30%
32%
100%
Q21. What cloud applications or services does your organization
presently use? Please select all that apply.
Peer-to-peer communications (such as Skype)
Social media applications (such as Facebook, YouTube, Twitter, etc.)
File sharing applications such as DropBox, Box.net and others
Business applications (such as Google Docs, webmail, etc.)
Infrastructure applications (online backup, security, archiving, etc.)
Services such as identity management, payments, search and others
Solution stacks such as Java, PHP, Python, ColdFusion and others
Storage
Other (please specify)
Total
FY 2012
35%
26%
39%
35%
33%
28%
19%
41%
2%
258%
Ponemon Institute: Private & Confidential Report
33

36.
Q26. How has the threat of an OCR HIPAA Audit affected changes in
your organization (select the top two changes)?
Required an update of our policies and procedures
Conducted employee training
Conducted a risk assessment/risk analysis
Purchased cyber insurance
No changes
Total
FY 2012
57%
27%
60%
9%
47%
200%
Q27. What best describes the process for preventing and detecting
data breach incidents in your organization today? Please select one
best choice.
An “ad hoc” process
Mostly a process that relies on policies and procedures
Mostly a process that relies on security technologies
A combination of manual procedures and security technologies
None of the above
Total
FY 2012
23%
28%
20%
24%
5%
100%
FY 2011
27%
29%
21%
19%
4%
100%
FY 2010
35%
23%
16%
20%
6%
100%
Q28. How confident are you that your organization has the ability to
prevent or quickly detect patient data loss or theft in your organization?
Very confident and confident response combined
FY 2012
40%
FY 2011
34%
FY 2010
31%
Q29. Does your organization perform the following activities (Please
check all that apply)?
Annual or periodic privacy risk assessments
Annual or periodic security risk assessments
Incident response plan development and or test
Updated policies and procedures in response to regulatory changes
Annual or periodic HIPAA privacy and security awareness training of
all staff
Vetting and monitoring of third parties, including business associates
Updating of agreements with business associates
Total
FY 2012
16%
48%
26%
47%
56%
49%
48%
290%
Post-incident risk assessment The HITECH Act’s
Breach Notification Rule requires organizations to
have a process for performing an incident risk
assessment for each privacy incident as described in
the Administrative Burden of Proof (45 CFR 164.414)
provision of the Act. The level of risk or harm found
by the incident risk assessment determines whether
a data breach has occurred and therefore must follow
the data breach notification requirements under the
breach notification rule.
Q30a. Does your organization conduct and document post data breach
incident risk assessments as mandated by the HITECH Act?
Yes
No
Unsure
Total
Ponemon Institute: Private & Confidential Report
FY 2012
68%
18%
14%
100%
FY 2011
61%
21%
18%
100%
35

37.
Q30b. If yes, which one of the following choices best describes your
process?
An ad-hoc process
A paper-based process or tool that was developed internally
A software-based process or tool that was developed internally
A software-based process or tool that was developed by a third party
Total
FY 2012
28%
34%
17%
21%
100%
FY 2011
33%
31%
15%
21%
100%
Medical identity theft is defined as the theft of a
patient’s health credential to obtain medical
treatment, services and products (devices).
Q31. How many separate medical identity theft incidents did your
organization experience over the past 12 months?
None
Only 1
2 to 5
6 to 10
More than 10
Total
Extrapolated value
FY 2012
48%
12%
22%
11%
7%
100%
2.5
Q32. Were any of these medical identity theft incidents the result of a
data breach experienced by your organization?
Yes, absolutely certain
Yes, most likely
No
Unsure
Total
2012 Pct%
3%
15%
50%
32%
100%
Q33a. Have any medical identity theft incidents occurred that resulted
in inaccuracies in patients’ records?
Yes, absolutely certain
Yes, most likely
No
Unsure
Total
2012 Pct%
3%
36%
36%
25%
100%
Q33b. If yes, has this affected the patient’s medical treatment as a
result of inaccuracies?
Yes, absolutely certain
Yes, most likely
No
Unsure
Total
2012 Pct%
3%
23%
48%
26%
100%
Q34. In your opinion, does your organization have sufficient controls
or procedures in place to prevent and/or quickly detect medical identity
theft incidents?
Yes
No
Total
2012 Pct%
33%
67%
100%
Ponemon Institute: Private & Confidential Report
36

38.
Q35. In your opinion, what harms do patients actually suffer if their
records are lost or stolen?
Increased risk of financial identity theft
Increased risk of medical identity theft
Increased risk that personal health facts will be disclosed
None
Total
FY 2012
61%
59%
70%
9%
199%
FY 2011
59%
51%
73%
10%
193%
Q36. Do you believe credit monitoring is effective in preventing or
detecting medical identity theft?
Yes
No
Unsure
Total
FY 2012
18%
69%
13%
100%
FY 2011
28%
72%
0%
100%
Q37. If you do not believe or are unsure that credit monitoring is
effective, do you believe that another solution for the prevention and
detection of medical identity theft is needed?
Yes
No
Unsure
Total
FY 2012
46%
23%
31%
100%
FY 2010
56%
45%
61%
8%
170%
FY 2011
74%
11%
15%
100%
Credit monitoring is defined as monitoring of
changes to an individual’s credit report such as the
creation of new credit accounts.
.
For more information about this study, please contact Ponemon Institute by sending an
email to research@ponemon.org or calling our toll free line at 1.800.887.3118.
Ponemon Institute
Advancing Responsible Information Management
Ponemon Institute is dedicated to independent research and education that advances responsible
information and privacy management practices within business and government. Our mission is to conduct
high quality, empirical studies on critical issues affecting the management and security of sensitive
information about people and organizations.
As a member of the Council of American Survey Research Organizations (CASRO), we uphold strict
data confidentiality, privacy and ethical research standards. We do not collect any personally identifiable
information from individuals (or company identifiable information in our business research). Furthermore, we
have strict quality standards to ensure that subjects are not asked extraneous, irrelevant or improper
questions.
Ponemon Institute: Private & Confidential Report
37